--- title: "Research — Open questions" description: "The questions worth the time. Notes from the substrate. River Caudle's open lines of inquiry into OT security — working notes, not conclusions, published in the open." canonical: "https://rivercaudle.com/research/" author: "River Caudle" keywords: - OT security research - open questions - industrial cybersecurity inquiry - substrate research - working notes --- # Research **The questions worth the time. Notes from the substrate.** Most security research lives at the information layer because that's where the tooling already points. The substrate is where the unanswered questions are. Physics doesn't patch, controllers don't reboot on a maintenance window, and the failure modes that matter don't show up in a log. That's the work worth doing. > **These are working notes, not conclusions. If something here reads as settled, I haven't pushed on it hard enough yet.** --- ## § 01 — Lines of inquiry These are the threads I follow when the engagement work pauses. None of them are finished. Each is here because it resists the easy answer and because getting it wrong has a physical cost. **What I'm pulling on** - **Substrate failure** — how control loops degrade before they fail, and what that looks like upstream. - **Trust boundaries** — where the OT/IT seam actually sits versus where the diagram says it does. - **Change as risk** — quantifying the cost of motion in systems that punish it. - **Ownership decay** — how operational capability erodes when nobody is measuring it. **Why these and not others** - **Physical stakes** — the wrong answer moves something heavy. - **Under-instrumented** — the questions sit where the sensors don't. - **Doctrine-bearing** — answers here change how networks get built. - **Unfashionable** — slow, unglamorous, and therefore neglected. --- ## § 02 — Working hypotheses A hypothesis earns its place by being falsifiable. Each of these is paired with the condition that would make me abandon it. If I can't state that condition, it isn't research — it's a belief. | Current hypothesis | What would falsify it | | --- | --- | | Substrate failures announce themselves before they cascade | Repeated cascades with no measurable precursor signal | | Most OT incidents are ownership failures, not attacks | Incident review showing attack origin dominates | | Change frequency predicts instability better than severity | Stable systems under high change, instability under low | | Visibility gaps follow organizational seams, not technical ones | Gaps clustering in technically uniform, well-owned zones | --- ## § 03 — How I publish **Dated working notes, not premature claims.** Research that hides its uncertainty is marketing. I publish in the open, with the doubt left in. The difference between the two postures below is the difference between honest work and a press release. **Not this:** 1. A finding announced before it's tested. 2. Conclusions with the uncertainty edited out. 3. Numbers presented without their provenance. 4. A claim that can't say what would disprove it. **This:** 1. A dated note that says what I knew, when. 2. The doubt left visible in the text. 3. Method stated before the result. 4. Every hypothesis paired with its falsifier. --- ## § 04 — Where this leads Research isn't separate from the rest of the work — it's the part where doctrine gets stress-tested before it ships. When a line of inquiry resolves, it surfaces in the writing, the position, and the frameworks. Follow the trail. - [Blog](/blog/) — notes as they resolve - [Position](/position/) — what the inquiry hardened into - [Frameworks](/frameworks/) — doctrine, operationalized - [Elsewhere](/elsewhere/) — work published off-site --- *"These are working notes, not conclusions. The questions are the point."* — River Caudle, Houston, Texas